522 Errors from specific locations

Hi all,

Our application is hosted on AWS behind an AWS Application Load Balancer listening on port 443.

Proxying through Cloudflare with a CName DNS works fine, but not from all locations. Our team is spread around different locations in the world and some get a 522 error while some not.

The ALB security group is not blocking any traffic.

Thanks alot for your help,
Chris

What’s the domain giving the 522 error? Also below are some fixes that might help solve your problem

Error 522: connection timed out

Error 522 occurs when Cloudflare times out contacting the origin web server. Two different timeouts cause HTTP error 522 depending on when they occur between Cloudflare and the origin web server:

  1. Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 15 seconds of Cloudflare sending a SYN.
  2. After a connection is established, the origin web server doesn’t acknowledge (ACK) Cloudflare’s resource request within 90 seconds.

An HTTP 524 error occurs if the origin web server acknowledges ( ACK ) the resource request after the connection has been established, but does not send a timely response.

Resolution

Contact your hosting provider to check the following common causes at your origin web server:

  • (Most common cause) Cloudflare IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Cloudflare IP addresses.
  • An overloaded or offline origin web server drops incoming requests.
  • Keepalives are disabled at the origin web server.
  • The origin IP address in your Cloudflare DNS app does not match the IP address currently provisioned to your origin web server by your hosting provider.
  • Packets were dropped at your origin web server.

If you are using Cloudflare Pages, verify that you have a custom domain set up and that your CNAME record is pointed to your custom Pages domain. Instructions on how to set up a custom Pages domain can be found here.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before contacting Cloudflare support:

  • An MTR or traceroute from your origin web server to a Cloudflare IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs.
  • Details from the hosting provider’s investigation such as pertinent logs or conversations with the hosting provider.

Thanks for your help.

It turned out to be an entry in the routing table that was directing a specific CIDR to somewhere else and this happened to overlap with one of the Cloudflare IPs.